On Thu, Aug 13, 2015 at 11:04:42AM +0200, Petr Vobornik wrote:
> On 08/13/2015 05:28 AM, Fraser Tweedale wrote:
> >On Wed, Aug 12, 2015 at 02:56:54PM +0200, Petr Vobornik wrote:
> >>usercertificate attr was moved from "System Modify Users" to this
> >>new permission.
> >>
> >>https://fedorahosted.org/freeipa/ticket/5177
> >>
> >>Note: hosts have permission "System: Manage Host Certificates", services
> >>don't have it but usercertificate is in "System: Modify Services". I would
> >>move it as well if usercertificate was not the only attr in "System: Modify
> >>Services".
> >>
> >New permission works as expected.
> >
> >What are the implications of removing userCertificate attribute from
> >"Modify Users" ACI?  Users could be relying on it given that there
> >is (until now) no more fine-grained permission.
> I'm not sure what is the expected ACI upgrade behavior but applying this
> patch on installed server and running ipa-server-upgrade ends with
> userCertificate still in "System: Modify Users" permission - it eliminates
> your worry. The rest of users who still run IPA < 4.2 won't even notice.
Ah, I see.

This raises a different problem: different ACIs on different
deployments, depending on when IPA was installed.  Unless I am
misunderstanding something, isn't that an undesirable situation?


> >
> >Perhaps we should
> >
> >a) use update script to add the new permission to any roles that
> >    have the Modify Users permission, or
> >b) not remove the userCertificate attribute from the ACI, or
> >c) deem this change acceptable and leave the patch as-is, in which
> >    case: ACK
> >
> >Cheers,
> >Fraser
> >
> -- 
> Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to